On Fri, 2013-11-22 at 13:52 +0200, Timo Sirainen wrote:
On 22.11.2013, at 9.22, Patrick Ben Koetter <p@sys4.de> wrote:
- Timo Sirainen <dovecot@dovecot.org>:
On 22.11.2013, at 0.35, Gareth Palmer <gareth@acsdata.co.nz> wrote:
The following patch adds support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
It makes the mysql client library check that the commonName in the server's SSL certificate matches the host name provided to mysql_real_connect() and aborts the connection if the name doesn't match.
If someone goes through the trouble of using SSL with MySQL .. should this even be optional? I guess I shouldn’t break any v2.2 installations even accidentally, but for v2.3 I don’t really see any point of not having this enabled unconditionally.
It should be optional or it will break other running systems when the update/upgrade.
But perhaps it should break (in v2.3.0)? Otherwise it’s not really running securely anyway. At least the default should be to verify the cert.
Attached is revised patch the defaults to verifying the cert.